WDAC: Unable to deploy Vulnerable driver blocklist
Hello, I tried to deploy the Microsoft Vulnerable driver blocklist with an Intune WDAC policy but i always faced an error using the XML provided by Microsoft : https://aka.ms/VulnerableDriverBlockList MS doc: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules Thanks and regards
WDAC + App Control For Business + App Control Wizard
Hello All, We are trying to use the following combination—WDAC, App Control for Business, and the App Control Wizard—to create and deploy WDAC policies in our tenant. We have a general base policy derived from a slightly modified 'Allow Microsoft Mode' template, along with a couple of supplemental policies that explicitly allow certain apps by publisher.(Such as PaloAlto, Omnissa/VMware etc). Enabled rules on base policy are as follows: Enabled:Unsigned System Integrity Policy Enabled:Advanced Boot Options Menu Enabled:UMCI Enabled:Inherit Default Policy Enabled:Update Policy No Reboot Enabled:Allow Supplemental Policies Enabled:Managed Installer Basically, we are allowing only those applications that are installed via a managed installer—in our case, the Company Portal. For example, if Palo Alto's GlobalProtect is installed through the Company Portal, it is not blocked by the WDAC policy. However, on some devices where GlobalProtect was installed manually, we have a supplemental policy that allows it by publisher. Despite this, the manually installed version of GlobalProtect is still being blocked by WDAC, which suggests the policy isn't working as expected. Example of such Supplemental policy is below: I'm curious—are there any people or organizations using a similar setup? If so, are you experiencing similar issues? What has the general feedback been regarding this setup?
WDAC Managed Installer and Applocker Audit logs
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices. In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#create-and-deploy-an-applocker-policy-that-defines-your-managed-installer-rules-and-enables-services-enforcement-for-executables-and-dlls In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution: Does anyone know if this is expected? Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this: Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)? I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something? Does anyone else have this configured and if so, do you see the same? Many thanks, Phil
WDAC not applying via Group Policy
Hello and greetings from Portugal! I'm trying to implement WDAC via group policy. I've used WDAC Wizard and if I copy the *.cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" I see that WDAC get enabled, for example using the MSInfo32. But, I cannot enable WDAC via GPO. I've converted the *.xml to *.bin and enable the "Deploy Windows Defender Application Control". I see the event id 7010 "Device Guard successfully processed the Group Policy: Configurable Code Integrity Policy = Enabled" but the thing is MSInfo still doesn't show that WDAC is activated. Can someone please help?
WDAC Managed Installer: Company Portal
Hello, I've successfully created and pushed our WDAC policy using Intunes & OMA-URI. In the WDAC policy I've enabled installations through a "Managed Installer" and want to add Intunes\Company Portal as the managed installer, but I have not been able to. The only instructions I have found to accomplish this is this link (https://www.msworkplace.blog/en-us/entry/windows-defender-application-control-part-2), The script offered on the page executes, but errors out (even locally with an admin/elevated powershell). It fails with this error: Does any know why it is failing, or have a better solution to "whitelist" Intunes/Company Portal as a Managed Installer? Thanks, Brandon
WDAC How to allow .tmp.node file by Electron app?
Hi all, I'm facing an issue with .tmp.node file that executed by an application called Ledger Live and written by Electron. This application generated a temporary file with random filename in user's Temp folder and then executed. I tried to allow the application's folder (C:\Program Files\Ledger Live\*) and even whitelist *.tmp.node in the WDAC policy XML. But the WDAC was still blocked this .temp.node file execute as the below screenshot. Is there a way to allow it to run or skip the Enterprise signing level check? Thanks.WDAC deployment guidance and questions.
Hi I am currently working with a client who currently use AppLocker and will soon be mandated to use WDAC. I am currently setting it up in audit mode in the short term however I will be configuring it with the intention of enabling. I am looking for some deployment of WDAC assistance. A few questions I had were: Does WDAC use 'allow' and 'deny' rules or is it just a whitelist or blacklist control? AppLocker has rules based on multiple conditions (path, publisher, hash etc), how would these transfer to WDAC? When merging WDAC policies, is there and order of precedence or are they just grouped together (in block /allow)? Can AppLocker and WDAC co-exist on the same machine at the same time? If so, can AppLocker allow something WDAC doesn't? Or can AppLocker only block what WDAC has allowed? Some of the scenarios the client does with AppLocker Using certain IT tools are only allowed for an IT AD group. C:\Program Files\* is allowed, with expectations for applications that require users to have modify rights on the directory. C:\Windows\* is allowed, with expectations for dir/applications that we don’t want to run by a std user. (exclusion example C:\windows\temp) App1.exe is hashed and allowed for all users. App2.exe is signed and allowed for all users.
